ACE: 4710 Policy-Map NAT

Greets. I have a scenario where the rservers are located on two different VLAN's in One Arm Mode.
My question is, am I able to assign two different NAT commands in my policy map (as written below)? Will the NAT command only kick off for the selected rservers vlan?
policy-map multi-match PM_Loadbalance
class VIP_Farm
    loadbalance vip inservice
    loadbalance vip icmp-reply active
    nat dynamic 7 vlan 7
    nat dynamic 741 vlan 741
Thanks,
-b

Hello Brian-
You can apply 2 different NAT statements, yes.
The way it works:
1.) A client sends a SYN into a vlan where the vip is applied as a service-policy input.
2.) The ACE matches the SYN to the class in question, the loadbalance policy is checked, and eventually a server in the associated serverfarm is chosen.
3.) ACE prepares to forward the SYN out of the appropriate VLAN based on the route table.
4.) Before the packet leaves, if the packet will egress either vlan 7 or 741, the the packet would be source NATted by the group number mentioned in the statement. This occurs because the "vlan 7" and "vlan 741" in the NAT statements under the class are filters. If the destination matches either vlan, then the nat group for that statement is used.
i.e.
rserver host server_1
ip address 10.0.0.10
inservice
rserver host server_2
ip address 172.16.35.60
inservice
serverfarm host SF_1
rserver server_1
inservice
class-map match-any VIP_80
2 match virtual-address 172.16.35.80 tcp eq 80
policy map type loadbalance first-match LB
class class-default
serverfarm SF_1
policy map multi-match X
class VIP_80
loadbalance policy LB
loadbalance vip inservice
nat dynamic 5 vlan 7
nat dynamic 7 vlan 741
interface vlan 7
ip address 172.16.35.2 255.255.255.0
nat 5 172.16.35.100 172.16.35.100 netmask 255.255.255.0 pat
service-policy input X
Interface vlan 741
ip address 10.0.0.2 255.255.255.0
nat 7 10.0.0.100 10.0.0.100 netmask 255.255.255.0 pat
service-policy input X
If a packet comes into either vlan destine to 172.16.35.80 on port 80, it will be balanced to either 10.0.0.10 or 172.16.35.60. If 10.0.0.10 was chosen, then natpool 7 under vlan 741 would be used because 10.0.0.10 is layer 2 adjacent to vlan 741. If 172.16.35.60 was chosen, then natpool 5 would be chosen because that server is layer 2 adjacent to vlan 7.
Regards,
Chris Higgins

Similar Messages

ACE 4710 client NAT (outgoing)

Hi Experts,
     I have a ace 4710 set as load balancing http and https only, seems working fine.
     Now I have another requirment to NAT all real servers IP (server side internal network 10.8.8.0) to VIP (192.168.1.20).
our configuration is as below,
two real server ip are 10.8.8.2 and 10.8.8.3 connected to VLAN interface v500 (ip is 10.8.8.254)
vlan v400 face to public, v400 interface ip 192.168.1.10, and one VIP 192.168.1.20, VIP is mapped to two real servers.
I need to config: all outgoing trafic from network 10.8.8.0 to public to NAT the source IP to 192.168.1.20 (VIP, not the interface real IP 192.168.1.10).
Thanks,
BQ

Here are a few things you could try
1. nat-pool 5 192.168.1.20 192.168.1.20 netmask 255.255.255.0 pat
changeto
nat-pool 5 192.168.1.20 192.168.1.20 netmask 255.255.255.255 (/32 host)
2.service-policy input remote-access
do you have a management Vlan interface defined if so add to that interface
3. The requirements are to LB http (80), and https (443). In this case you would need two seperate VIPS defined
VIP1:
class-map match-all slb-vip
2 match virtual-address 192.168.1.20 eq tcp 80
VIP2:
class-map match-all slb-vip
2 match virtual-address 192.168.1.20 eq tcp 443
Is there a requirement to redirect http traffic ? If so you would need to define another class-map to redirect http traffic to https
show service-policy client-vips detail
HTH

ACE 4710 A3 outbound static NAT with Port redirection

Hi
I have asked this question before, but as I have not get far with it I am going to try to be more specific this time.
I have a server that needs to do an outbound connection to a mail server. The connection has to be initiated to port 26, that then will be NATed to the external IP and port 26 redirected to port 25 for the SMTP connection.
When I try to configure this:
ACE-2/TEST(config-pmap-c)# nat static x.x.x.x netmask 255.255.255.255 tcp eq 23 vlan 99
I get the error: Error: Invalid real port configured for NAT static
Any ideas what it means anyone?

Right. Forget about the previous question. I have an update.
I get this output on show nat policies at the moment:
NAT object ID:39 mapped_if:19 policy_id:50 type:STATIC static_xlate_id:64
ID:64 Static port translation
Real addr:172.21.7.11 Real port:26 Real interface:18
Mapped addr:x.x.x.x Mapped port:25 Mapped interface:19
Netmask:255.255.255.255
where x.x.x.x - is the Public, external IP address on the ACE.
I need the traffic FROM the 172.21.7.11 server going anywhere TO port 26 to be remapped to x.x.x.x port 25. At the moment it does not do it. The service policy on the inside doesn't even get a hit when I am telnetting from the 172.21.7.11 server on port 26 to the outside world. It does get hits when I telnet to x.x.x.x external IP address from outside.
Something is telling me I am looking at it from a wrong direction altogether.
This is the config I have at the moment:
access-list 130 line 20 extended permit ip any any
access-list Source_NAT line 10 extended permit tcp host 172.21.7.11 eq 26 any
class-map match-any Class_Port26
2 match access-list Source_NAT
policy-map multi-match Policy_Port26_Static
class Class_Port26
nat static x.x.x.x netmask 255.255.255.255 tcp eq smtp vlan 99
interface vlan 107
ip address 172.21.7.2 255.255.255.240
peer ip address 172.21.7.1 255.255.255.240
access-group input 130
service-policy input Policy_Port26_Static
no shutdown
No server farms, no load balancing. Just that.
Any ideas?

ACE - Policy map bound to multiple interface

Hello,
I have a policy map bound to multiple VLAN interfaces. The policy is pretty standard, any traffic hitting the VIP is load balanced.
Now, is it ok to assign the same policy map / VIP to to multiple VLAN interfaces on a virtual context?
I addition, I should add that one of the clients hitting the vip are the servers configured in the serverfarm of the context.
Basically the requirement here is that the rservers are client and server at the same time.
The problem I have is that when one of the servers send an HTTP request to the VIP, the ACE module reset the connection. I can see the dropped conns counter increasing as i generate requests to the ACE.
Rdgs,
Thibault.

Thibault,
the RESET is probably comming from the server.
If the server sends a SYN to the VIP, the packet is nated and forwarded to another server which sees a packet coming from a neighbor server (not ACE) and sends the SYN/ACK directly to the client(rserver).
This one is expecting a packet from the VIP and not the server itself and sends a RST.
You need to enable client nat for server opening connections to the vip.
Gilles.

Best practice for web servers behind a router (NAT, ACL, policy-map, VLAN)

Hi,
I'm a new Network admin, and I have some configuration questions about my installation (see attachment).
I have 3 web servers behind a router.
Public interface: 3 public ip adresses
Private interface: router on a stick config ( 3 sub-interfaces, 3 different networks, 3 VLAN)
I would to know the best way to redirect http traffic to the right server.
My idea is to map a public address to a private address, via NAT, but I'm not sure for the configuration. I could also redirect via Policy-map and filter by url content.
So if you have some advise for this case, it would be really appreciated.
Thank you.
Chris.

Hello Christophe,
As I understand you want 1st that ;
if somebody go to A.local.com from internet then he will redirect to 192.168.1.10 in your internal network.
That means, you need static mapping between your public @ip address and your local ip address.
for this example, your local interface is Fa0/0.1 and I dont your public interface because it is not mention in your diagram. I will suppose S0/0 for public interface.
that is the config for the Web Server1. You can do the same with the remaining servers:
interface fa0/0.1
ip nat inside
interface serial0/0
ip nat outside
ip nat inside source static 192.168.1.10 172.1.2.3
static mapping from local to public.
I suppose you have done the dns mapping in your network and the ISP have done the same in his network.
ip route 171.1.2.3 interface serial0/0
or
ip route 0.0.0.0 0.0.0.0 interface serial0/0.
After these step for each web server, you will get the mapping.
Now you can restrict access to this ip only to http or https protocol on your isp and after on your local network
like
ip access-list extended ACL_WebServer1
permit ip any 192.168.1.10 eq www
deny ip any 192.168.1.10
exit
interface fa0/0.1
ip acess-group ACL_WebServer1 in
no shut
exit
That is the first step.
Second step : you want to filter traffic by url, that means layer 5 to 7 filtering.
I am not sure that it is possible using cisco router with (ZBF + Regex).
Check the first step and let us know !
Please rate and mark as correct if it is the case.
Regards,

Need help to Configure Cisco ACE 4710 Cluster Deployment

Dear Experts,
I'm newbie for Cisco ACE 4710, and still I'm in learning stage. Meanwhile I got chance at my work place to deploy a Cisco ACE 4710 cluster which should load balance the traffic between two Application Servers based on HTTP and HTTPS traffic. So I was looking for good deployment guide in Cisco SBA knowledge base then finall found this guide.
http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_DC_AdvancedServer-LoadBalancingDeploymentGuide-Feb2013.pdf
This guide totally fine with my required deployment model. I have same deployment environment as this guide contains with ACE cluster that connects to two Cisco 3750X (Stack) switches. But I have some confusion places in this guide
This guide follow the "One-armed mode" as a deployment method. But when I go through it further I have noticed that they have configured server VLAN as a 10.4.49.0/24 (all servers reside in it) and Client side VIP also in same VLAN which is 10.4.49.100/24 (even NAT pool also).
My confusion is, as I have learned about Cisco ACE 4710 one-armed mode deployment method, it should has two VLAN segments, one for Client side which client request come and hit the VIP and then second one for Server side. which means besically two VLANs. So please be kind enough to go through above document then tell me where is wrong, what shoud I need to do for the best. Please this is an urgent, so need your help quickly.
Thanks....!
-Amal-

Dear Kanwal,
I need quick help for you. Following are the Application LB requirements which I received from my clinet side.
Following detail required for configuring Oracle EBS Apps tier on HA:
LBR IP and Name required to configure EBS APPS Tier (i.e, ap1ebs & ap2ebs nodes)
Suggested IP and Name for LBR:
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm detail for LBR Setup
Following detail will be use for configuring the LBR:
LBR IP and Name :
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm Detail for LBR setup:
Server 1 (EBS App1 Node, ap1ebs):
IP : 172.25.45.19
Server Name: ap1ebs.xxxx.lk [ap1ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Server 2 (EBS App2 Node, ap2ebs):
IP : 172.25.45.20
Server Name: ap2ebs.xxxx.lk [ap2ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Since my client needs to access URL ebiz.xxxx.lk which should be resolved by IP 172.25.45.21 (virtual IP) via http (80) before they deploy the app on the two servers I just ran web service on both servers (Linux) and was trying to access http://172.25.45.21 it was working fine and gave me index.html page. Now after my client has deployed the application then when he tries to access the page http://172.25.45.21 he cannot see his main login page. But still my testing web servers are there on both servers when I type http://172.25.45.21 it will get index.html page, but not my client web login page. What can I do for this ?
Following are my latest config :
probe http Get-Method
description Check to url access /OA_HTML/OAInfo.jsp
interval 10
faildetect 2
passdetect interval 30
request method get url /OA_HTML/OAInfo.jsp
expect status 200 200
probe udp http-8000-iRDMI
description IRDMI (HTTP - 8000)
port 8000
probe http http-probe
description HTTP Probes
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
request method get url /index.html
expect status 200 200
probe https https-probe
description HTTPS traffic
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
ssl version all
request method get url /index.html
probe icmp icmp-probe
description ICMP PROBE FOR TO CHECK ICMP SERVICE
rserver host ebsapp1
description ebsapp1.xxxx.lk
ip address 172.25.45.19
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
rserver host ebsapp2
description ebsapp2.xxxx.lk
ip address 172.25.45.20
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
serverfarm host ebsppsvrfarm
description ebsapp server farm
failaction purge
predictor response app-req-to-resp samples 4
probe http-probe
probe icmp-probe
inband-health check log 5 reset 500
retcode 404 404 check log 1 reset 3
rserver ebsapp1 80
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    inservice
rserver ebsapp2 80
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    inservice
sticky http-cookie jsessionid HTTP-COOKIE
cookie insert browser-expire
replicate sticky
serverfarm ebsppsvrfarm
class-map type http loadbalance match-any default-compression-exclusion-mime-type
description DM generated classmap for default LB compression exclusion mime types.
2 match http url .*gif
3 match http url .*css
4 match http url .*js
5 match http url .*class
6 match http url .*jar
7 match http url .*cab
8 match http url .*txt
9 match http url .*ps
10 match http url .*vbs
11 match http url .*xsl
12 match http url .*xml
13 match http url .*pdf
14 match http url .*swf
15 match http url .*jpg
16 match http url .*jpeg
17 match http url .*jpe
18 match http url .*png
class-map match-all ebsapp-vip
2 match virtual-address 172.25.45.21 tcp eq www
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
    permit
policy-map type loadbalance first-match ebsapp-vip-l7slb
class default-compression-exclusion-mime-type
    serverfarm ebsppsvrfarm
class class-default
    compress default-method deflate
    sticky-serverfarm HTTP-COOKIE
policy-map multi-match int455
class ebsapp-vip
    loadbalance vip inservice
    loadbalance policy ebsapp-vip-l7slb
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 455
interface vlan 455
ip address 172.25.45.36 255.255.255.0
peer ip address 172.25.45.35 255.255.255.0
access-group input ALL
nat-pool 1 172.25.45.22 172.25.45.22 netmask 255.255.255.0 pat
service-policy input remote_mgmt_allow_policy
service-policy input int455
no shutdown
ft interface vlan 999
ip address 10.1.1.1 255.255.255.0
peer ip address 10.1.1.2 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 999
ft group 1
peer 1
no preempt
priority 110
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 172.25.45.1
Hope you will reply me soon
Thanks....!
-Amal-

ACE: a class-map with multiple ports... what about the probe/serverfarm?

Hello Gilles,
One question about something I was not able to find in the documentation.
Lets say I have one class-map which includes 2 ports (in this case https and 5061).
Can I associate this class-map to just 1 generic serverfarm and probe for both ports or I have to specify 2 serverfarms/rservers/probes?
So, by not specifying the ports on the rserver, if a request is received on port 443 (or 5061), it is sent to the same respective port on the rserver?
The same way is valid for the generic probe. ACE module is able to probe both ports based on the class-map?
Thanks and have a great day!!
Giulio.
probe tcp PROBE_GENERIC_TCP
description This probe works for all TCP services by inheriting the VIP port.
interval 15
faildetect 2
passdetect interval 15
passdetect count 2
open 2
rserver host SERVER1_ACCESS
ip address <1AC>
inservice
rserver host SERVER2_ACCESS
ip address <2AC>
inservice
serverfarm host ACCESS-SFARM
probe PROBE_GENERIC_TCP
rserver SERVER1_ACCESS
    inservice
rserver SERVER2_ACCESS
    inservice
class-map match-any OCS_L4ACCESS
2 match virtual-address x.x.x.176 tcp eq https
2 match virtual-address x.x.x.176 tcp eq 5061
policy-map type loadbalance first-match OCS_L4ACCESS
class class-default
    sticky-serverfarm ACCESS_STICKY
policy-map multi-match POLICY
class OCS_L4ACCESS
loadbalance vip inservice
loadbalance policy OCS_L4ACCESS
loadbalance vip icmp-reply active
connection advanced-options OCS_VIPTIMEOUT
nat dynamic XXX vlan 503

Even if you use the 4710 appliance or expect the inheritance in the module software, it's worth considering if this is really what you want. If you keep multiple ports in the L3/L4 class-map you can't handle the services independently. You will have a common serverfarm for both https and 5061. If https service stops on one rserver, the ACE will place that rserver (and not that service) in out-of-operation state and it won't receive any 5061 traffic either. (You have the fail-on-all probe option but I wouldn't say it's a better choice. In that case, https traffic would be sent to the rserver even if https port is closed as long as there is at least one working service on it.) That's why I prefer a separate class-map and separate serverfarm for each service. (They can contain the same rservers, no need to duplicate.) BUT if the software supports probe port inheritance, you can benefit from it even in this scenario: serverfarm-443 and serverfarm-5061 can both use your PROBE_GENERIC_TCP.

ACE 4710 - Internet Explorer cannot display the webpage randomly

We have a ACE 4710 with a basic config, (see below).
When clicking on a tab from a window within Interent explorer we occasionally get an issue with it returning: "Internet Explorer cannot display the webpage" The details show "Access is denied" accessing a particular line of a javascript file.
We have put one web server out of service in the farm to make sure that this isn't a result of stickyness not quite working.
We have tested extensively by going directly to the web server directly without the load balancer and cannot reproduce the problem but we can produce the issue within a few minutes when going to the load balanced address.
Thanks in advance for any advice.
HOST-1/Admin# show run
Generating configuration....
logging enable
logging fastpath
logging standby
logging timestamp
logging trap 6
logging history 6
resource-class SLB_ResourceClass_T_R
limit-resource all minimum 10.00 maximum unlimited
resource-class sticky
limit-resource all minimum 10.00 maximum unlimited
boot system image:c4710ace-t1k9-mz.A5_1_2.bin
peer hostname HOST-2
hostname HOST-1
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
shutdown
interface gigabitEthernet 1/3
description LB003
switchport access vlan 1
shutdown
interface gigabitEthernet 1/4
description LB004
switchport access vlan 2
shutdown
interface port-channel 1
port-channel load-balance src-dst-port
no shutdown
clock timezone standard GMT
switch-mode
context Admin
description SUTLB01
member SLB_ResourceClass_T_R
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
probe tcp probe_tcp_80
port 80
rserver host Server_S_W301
description Server_S_W301
ip address x.x.32.152
inservice
rserver host Server_S_W302
description Server_S_W302
ip address x.x.32.154
inservice
serverfarm host sfarm_T_R
description sfarm_T_R
predictor leastconns
probe probe_tcp_80
rserver Server_S_W301 80
rserver Server_S_W302 80
    inservice
sticky http-cookie Cookie1 T_R_sticky_cookie
cookie insert browser-expire
timeout 3600
serverfarm sfarm_T_R
class-map match-any T_R_L4Class
2 match virtual-address x.x.33.150 tcp eq www
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
    permit
policy-map type loadbalance first-match T_R_L7policy
class class-default
    sticky-serverfarm T_R_sticky_cookie
policy-map multi-match T_R_L4Policy
class T_R_L4Class
    loadbalance vip inservice
    loadbalance policy T_R_L7policy
    loadbalance vip icmp-reply active
    nat dynamic 2 vlan 1000
interface vlan 1000
ip address x.x.33.148 255.255.254.0
access-group input ALL
nat-pool 2 x.x.33.151 x.x.33.151 netmask 255.255.254.0 pat
service-policy input remote_mgmt_allow_policy
service-policy input T_R_L4Policy
no shutdown
ip route 0.0.0.0 0.0.0.0 x.x.32.1
ssh key rsa 1024 force

+------------------------------------------+
+-------------- HTTP statistics -----------+
+------------------------------------------+
LB parse result msgs sent : 421347     , TCP data msgs sent       : 2099597
Inspect parse result msgs : 0          , SSL data msgs sent       : 0
                      sent
TCP fin msgs sent         : 6169       , TCP rst msgs sent:       : 769
Bounced fin msgs sent     : 5          , Bounced rst msgs sent:   : 1
SSL fin msgs sent         : 0          , SSL rst msgs sent:       : 0
Drain msgs sent           : 337811     , Particles read           : 5040829
Reuse msgs sent           : 0          , HTTP requests            : 342499
Reproxied requests        : 183422     , Headers removed          : 37475
Headers inserted          : 342124     , HTTP redirects           : 0
HTTP chunks               : 224859     , Pipelined requests       : 71466
HTTP unproxy conns        : 267246     , Pipeline flushes         : 0
Whitespace appends        : 0          , Second pass parsing      : 0
Response entries recycled : 71302      , Analysis errors          : 0
Header insert errors      : 22         , Max parselen errors      : 215
Static parse errors       : 99         , Resource errors          : 0
Invalid path errors       : 0          , Bad HTTP version errors : 0
Headers rewritten         : 0          , Header rewrite errors    : 0
SSL headers inserted      : 0          , SSL header insert errors : 0
SSL spoof headers deleted : 0         , Unproxy msgs sent         : 267246
HTTP passthrough stat     : 0
NOTE - We did turn on caching at one point to try and resolve the issue but it has since been turned off

ACE 4710 breaks single sign-on on IE

I haven't run into this before and I can't find anything in the documentation regarding it. (Our 2 4710 were setup prior in a routed configuration although I personally see no reason for it.) Regardless, we have 2 servers that host 4 websites on them. We built everything on the ACE with a new VIP and matching the http header. If we use firefox/chrome, it load balances properly and we are prompted for credentials as those browsers don't support single sign on. We enter our credentials and are able to get to the appropriate website on the server.
When we use IE, it fails to open the page. A sniffer capture shows an authentication failure packet and a reset and that's it. We built the ACE both as sticky and non-sticky but neither worked properly with IE.
Is there something else in the ACE we need to configure to get SSO to work? Thanks in advance!
Chris
**NEW CONFIGURATION**
probe icmp PING
description ICMP echo request probe
interval 5
passdetect interval 5
passdetect count 12
receive 4
probe tcp TCP-80
description TCP port 80 probe
interval 5
passdetect interval 5
passdetect count 12
receive 4
connection term forced
open 1
rserver host corp-w-sp-lab01
ip address 10.250.1.52
probe PING
inservice
rserver host corp-w-sp-lab02
ip address 10.250.1.53
probe PING
inservice
serverfarm host sharepoint-test-80
failaction purge
predictor leastconns
probe TCP-80
rserver corp-w-sp-lab01 80
    inservice
rserver corp-w-sp-lab02 80
    inservice
class-map match-any sharepoint-test-vip
2 match virtual-address 10.250.89.10 tcp eq www
class-map type http loadbalance match-any intranet-test
match http header Host header-value http://intranettest
class-map type http loadbalance match-any dashboards-test
match http header Host header-value http://dashboardstest
class-map type http loadbalance match-any odpeople-test
match http header Host header-value http://odpeopletest
class-map type http loadbalance match-any sandbox-test
match http header Host header-value http://sandbox
policy-map type loadbalance http first-match sharepoint-test-lb
class intranet-test
      serverfarm sharepoint-test-80
class dashboards-test
      serverfarm sharepoint-test-80
class odpeople-test
      serverfarm sharepoint-test-80
class sandbox-test
      serverfarm sharepoint-test-80
class class-default
      serverfarm sharepoint-test-80
policy-map multi-match sharepoint-test-80-pol
class sharepoint-test-vip
    loadbalance vip inservice
    loadbalance policy sharepoint-test-lb
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 92
interface vlan 88
service-policy input sharepoint-test-80-pol
***CONFIGURATION ALREADY ON INTERFACES PRIOR TO NEW CONFIG***
interface vlan 88
description Client_Connections
ip address 10.250.88.51 255.255.252.0
alias 10.250.88.50 255.255.252.0
peer ip address 10.250.88.52 255.255.252.0
access-group input Client
service-policy input remote_mgmt_allow_policy
service-policy input PM_LB_FRONTEND
no shutdown
interface vlan 92
description RealServer_Network
ip address 10.250.92.51 255.255.252.0
alias 10.250.92.50 255.255.252.0
peer ip address 10.250.92.52 255.255.252.0
nat-pool 1 10.250.93.1 10.250.93.1 netmask 255.255.255.255 pat
service-policy input remote_mgmt_allow_policy
no shutdown

Hi Chris,
Try this:
parameter-map type http sample
persistence-rebalance
set header-maxparse-length 65535
set content-maxparse-length 65535
length-exceed continue
policy-map multi-match sharepoint-test-80-pol
class sharepoint-test-vip
    loadbalance vip inservice
    loadbalance policy sharepoint-test-lb
    loadbalance vip icmp-reply active
    appl-parameter http advanced-options sample
    nat dynamic 1 vlan 92
Let me know if you see any difference
Cesar R
ANS Team

ACE 4710 Pls need help

Hi,
Pls can you help me find out where is my error in the below:
I have an ACE 4710. Also I have 2 Bluecoat Proxy SG working in proxy mode. I want the ACE to be the Load Balancer for these 2 Proxy SG. I configure the ACE as below and put the vip-address in the Internet Explorer LAN Settings but it did not work. Also I configure Policy-based Routing on the Core Switch (for any http or https traffic going through core apply set ip next-hop vip-address).
Core SW SVI:
interface Vlan56
description BC Proxy
ip address 10.0.1.33 255.255.255.224
interface Vlan57
description ACE-LB-Alias
ip address 10.0.1.65 255.255.255.224
ACE 4710:
hostname VSS-ACE-BC-01
interface gigabitEthernet 1/1
description Management
speed 1000M
duplex FULL
switchport access vlan 101
no shutdown
interface gigabitEthernet 1/2
description User Side
speed 1000M
duplex FULL
switchport access vlan 56
no shutdown
interface gigabitEthernet 1/3
description BC Proxy Side
speed 1000M
duplex FULL
switchport access vlan 57
no shutdown
interface gigabitEthernet 1/4
description Failover
speed 1000M
duplex FULL
ft-port vlan 900
no shutdown
context Admin
member sticky
access-list external line 10 extended permit ip any any
access-list external line 20 extended permit icmp any any
access-list external line 30 extended permit tcp any any
access-list external line 40 extended permit udp any any
access-list internal line 10 extended permit ip any any
access-list internal line 20 extended permit icmp any any
access-list internal line 30 extended permit tcp any any
access-list internal line 40 extended permit udp any any
probe tcp web443
port 443
interval 30
faildetect 1
passdetect interval 30
passdetect count 1
open 1
probe tcp web8080
port 8080
interval 30
faildetect 1
passdetect interval 30
passdetect count 1
open 1
rserver host BC01
ip address 10.0.1.41
inservice
rserver host BC02
ip address 10.0.1.42
inservice
serverfarm host web443
probe web443
rserver BC01
    inservice
rserver BC02
    inservice
serverfarm host web8080
probe web8080
rserver BC01
    inservice
rserver BC02
    inservice
sticky ip-netmask 255.255.255.255 address source group1
replicate sticky
serverfarm web8080
sticky ip-netmask 255.255.255.255 address source group2
replicate sticky
serverfarm web443
class-map type management match-any REMOTE_ACCESS
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
5 match protocol http any
6 match protocol snmp any
class-map match-all external-web
2 match virtual-address 10.0.1.70 any
class-map match-all external-web443
2 match virtual-address 10.0.1.70 any
class-map match-any nat-class
2 match access-list external
policy-map type management first-match REMOTE_MGMT
class REMOTE_ACCESS
    permit
policy-map type loadbalance http first-match slb
class class-default
    sticky-serverfarm group1
policy-map type loadbalance http first-match slb443
class class-default
    sticky-serverfarm group2
policy-map multi-match external-access
class nat-class
    nat dynamic 1 vlan 57
class external-web
    loadbalance vip inservice
    loadbalance policy slb
class external-web443
    loadbalance vip inservice
    loadbalance policy slb443
timeout xlate 120
interface vlan 56
description Server-Side
ip address 10.0.1.43 255.255.255.224
ip verify reverse-path
alias 10.0.1.40 255.255.255.224
peer ip address 10.0.1.44 255.255.255.224
mac-address autogenerate
access-group input internal
service-policy input REMOTE_MGMT
no shutdown
interface vlan 57
description VIP-Interface
ip address 10.0.1.67 255.255.255.224
alias 10.0.1.66 255.255.255.224
peer ip address 10.0.1.68 255.255.255.224
mac-address autogenerate
access-group input external
service-policy input external-access
service-policy input REMOTE_MGMT
no shutdown
interface vlan 101
description Management
ip address 10.220.1.131 255.255.255.0
alias 10.220.1.133 255.255.255.0
peer ip address 10.220.1.132 255.255.255.0
mac-address autogenerate
service-policy input REMOTE_MGMT
no shutdown
ft interface vlan 900
ip address 172.20.100.1 255.255.255.252
peer ip address 172.20.100.2 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 20
ft-interface vlan 900
ft group 1
peer 1
priority 200
peer priority 150
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 10.0.1.65

I see that you used:
nat dynamic 1 vlan 57
Where is the nat pool on Vlan 57 ?
May be you can try to assign that and that should help.
Something like below:
Interface vlan 57
nat-pool 1 10.0.1.93 10.0.1.93 netmask 255.255.255.224 pat
regards,
Ajay Kumar

Add two servers with ACE 4710

Dear All,
We have two servers (sharepoint ) and need to add it in ACE 4710 to works as internal no need WAN , how to add it ?
Thanks a lot in Advance

Hi,
Here's the example:
Let's say you have two servers
rserver host SERVER_01
ip address 192.168.1.11
inservice
rserver host SERVER_02
ip address 192.168.1.12
inservice
rserver host SERVER_03
ip address 192.168.1.13
inservice
You add them in serverfarm
serverfarm host REAL_SERVERS
rserver SERVER_01
    inservice
rserver SERVER_02
    inservice
rserver SERVER_03
    inservice
After that you configure the VIP and condition. Here any means any protocol and port
class-map match-all VIP-30
2 match virtual-address 172.16.51.30 any
YOu define the L7 policy map
policy-map type loadbalance first-match SLB_LOGIC
class class-default
    serverfarm REAL_SERVERS--------->Serverfarm to which traffic would be loadbalanced.
policy-map multi-match CLIENT_VIPS---->L3 policy map.
class VIP-30
    loadbalance vip inservice
    loadbalance policy SLB_LOGIC
    nat dynamic 1 vlan 451----------------->You need to apply the NAT when your client is in same subnet as server so that return traffic comes back to ACE and not to client directly.
interface vlan 251
description Client vlan
ip address 172.16.51.11 255.255.255.0
access-group input ANYONE
service-policy input REMOTE_MGT
service-policy input CLIENT_VIPS
no shutdown
interface vlan 451
description Servers vlan
ip address 192.168.1.1 255.255.255.0
nat-pool 1 192.168.1.100 192.168.1.110 netmask 255.255.255.0 pat---->Nat pool defined. It should always be on server side vlan.
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.51.1
Regards,
Kanwal
Note: Please mark answers if they are helpful.

ACE 4710 is not working

Hi. I'm working on the Cisco ACE 4710 to be able to load balance web Traffic between several web servers. but despite following the steps mentioned on the Cisco configuration guide (specially this link and related docs: http://docwiki.cisco.com/wiki/Cisco_ACE_4700_Series_Appliance_Quick_Start_Guide,_Release_A3(1.0)_--_Creating_a_Virtual_Context) we did not managed to make it. we tested both the "bridged scenario" and "routed scenario" but none of them is working. specifically "configuring Nat" in the above link is very confusing and is not clear; because it's not the same as Cisco IOS, which we used to implement it that way.
Routed Scenario:
==========================================
probe http Http_Probe
description Server Healty Check
port 80
request method head url /index.htm
probe icmp ICMP_Check
interval 10
passdetect interval 5
rserver host NetCad_Server_1
ip address 172.16.1.100
probe ICMP_Check
inservice
rserver host NetCad_Server_2
ip address 172.16.1.101
probe ICMP_Check
inservice
rserver host NetCad_Server_3
ip address 172.16.1.102
probe ICMP_Check
inservice
serverfarm host NetCad_Servers
probe Http_Probe
rserver NetCad_Server_1 80
inservice
rserver NetCad_Server_2 80
inservice
rserver NetCad_Server_3 80
inservice
sticky http-cookie Cookie1 1
serverfarm NetCad_Servers
class-map match-all VS_NetCad
2 match virtual-address 192.168.13.162 255.255.252.0 tcp any
policy-map type management first-match mgmt-pm
class class-default
permit
policy-map type loadbalance first-match VS_NetCad-l7slb
class class-default
serverfarm NetCad_Servers
policy-map multi-match int40
class VS_NetCad
loadbalance vip inservice
loadbalance policy VS_NetCad-l7slb
loadbalance vip icmp-reply
interface vlan 40
description Client Side
ip address 192.168.13.161 255.255.252.0
ip options allow
no normalization
no icmp-guard
access-group input Permit_ALL
service-policy input mgmt-pm
service-policy input int40
no shutdown
interface vlan 41
description Server Side
ip address 172.16.1.1 255.255.255.0
ip options allow
no normalization
no icmp-guard
access-group input Permit_ALL
nat-pool 1 172.16.1.110 172.16.1.110 netmask 255.255.255.255 pat
service-policy input mgmt-pm
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.12.1
==========================================

Hi,
Let me explain you.
Assuming client IP as 1.1.1.1, VIP as 2.2.2.2 and Real Server as 3.3.3.3
Consider the simple situation where client needs to access an application hosted on 3.3.3.3. Client sends a request which comes to VIP.
src 1.1.1.1----->dst------->2.2.2.2. ACE after matching conditions and taking LB decision decides to send it to 3.3.3.3 real server. Performs destination NAT and forwards the client request to 3.3.3.3. So the above packet L3 header will now look like:
src 1.1.1.1 dst 3.3.3.3. When reply comes from server, ACE will change src 3.3.3.3 back to 2.2.2.2 and forwards the request to client 1.1.1.1. SIMPLE LB.
Now comes a situation where let's say you want to hide the client IP from server or let's say server's default GW is not ACE or client and server are in same subnet but need to communicate through VIP on ACE etc.
Src 1.1.1.1 dst 2.2.2.2
After LB ace decides to send it to 3.3.3.3 but also policy multi match has nat rule (nat dynamic 1 vlan x). But packet would be forwarded from server vlan where you have NAT pool defined. So let's say pool IP is 3.3.3.4. So ACE will perform both destination as well as src NAT here before forwarding the packet to server and packet L3 header will look like:
src 3.3.3.4 ----->dst 3.3.3.3
Now when 3.3.3.3 has to send packet back, ACE will answer ARP for 3.3.3.3 and hence packet will come back to ACE which will again change the L3 header IP's and send it out the client VLAN towards client.
So NAT is always applied to server side vlan and that's why pool is chosen from server side subnet.
Let me know if you have any questions.
Regards,
Kanwal

Rservers initiated traffic not sourcing the traffic as VIP in Ace 4710

One of the feature of our application is that our Application Server initiate text message to our devices sourcing from UDP 1120 and device need to see the message come from a specific pubic IP (2.2.2.2) with UDP port 1120 and reply back with the same Public IP (2.2.2.2) with UDP port 1120.The problem is we can make that happen if we have only one server in our ACE Serverfarm when we do a SNAT the real servers with the VIP address (10.1.246.32) but it does not work when we have more than one server in the Serverfarm. Since we have 2 servers, i cannot nat the real servers with the VIP address, if I do a PAT, obviously it is changing the source port of the request.
Note: This setup is working fine with the Cisco Content Switch module running on chasis 6509. When I sniff the traffic initiated from the server coming the CSM load balancer, it is sourcing the traffic as the VIP and the source port remains the same by default but this is not the case with ACE 4710
Traffic flow as follows
===============
ACE 4710                                                       FWSM (Firewall static NAT)                    Device ( configured with 2.2.2.2:1120 (udp) to snd/rcv msg)
                                             VIP
Rserver 1   - 10.1.104.80       10.1.246.32           10.1.246.32 < - > 2.2.2.2                              1.1.1.1
Rserver 2   - 10.1.104.81c
---------------------------------------------------------->           ------------------------------->                      - traffic flow from server to the device when we send msg
Configs:
======
rserver host server1
ip address 10.1.104.80
inservice
rserver host server2
ip address 10.1.104.81
inservice
serverfarm host SFARM
failaction purge
probe ICMP
rserver server1
    inservice
rserver server2
    inservice
access-list TEST-1120 line 8 extended permit udp host 10.1.104.80 eq 1120 any
access-list TEST-1120 line 16 extended permit udp host 10.1.104.81 eq 1120 any
parameter-map type connection UDP_TIMEOUT
set timeout inactivity 3600
sticky ip-netmask 255.255.255.255 address source STKY-SFARM
serverfarm SFARM
timeout 180
replicate sticky
class-map match-all CLS-SFARM
2 match virtual-address 10.1.246.32 udp eq 1120
class-map match-all SERVERNAT
2 match access-list TEST-1120
policy-map type loadbalance first-match POL-SFARM
class class-default
    sticky-serverfarm STKY-SFARM
policy-map multi-match POL-LB
class CLS-SFARM
    loadbalance vip inservice
    loadbalance policy POL-SFARM
    loadbalance vip icmp-reply active
    connection advanced-options UDP_TIMEOUT
class SERVERNAT
   nat dynamic 1 vlan 244
int vlan 244
ip address 10.1.246.2 255.255.255.0
service-policy input POL-LB
nat-pool 1 10.1.246.32 10.1.246.32 netmask 255.255.255.255
mac-sticky enable
no icmp-guard
no shut
interface vlan 2506
ip address 10.1.104.2 255.255.255.0
service-policy input POL-LB
mac-sticky enable
no icmp-guard
no shut

I see in CSS, they are able to nat the source ip address with VIP and port-mapping diabled. How do I implement
portmap disable in ACE 4710
Disabling Port Mapping
By default, the CSS NATs source IP addresses and PATs source ports for a configured source group. If you configure the portmap disablecommand in a source group, the CSS performs NAT on the source IP addresses but does not perform PAT on the source ports of UDP traffic that matches on that source group.
For UDP applications with high-numbered assigned ports (for example, SIP and WAP), we recommend that you preserve those port numbers by configuring destination services in source groups instead of using the portmap disable command. Destination services cause the CSS to NAT the client source ports, but not the destination ports. For information about configuring destination services,

Access Server through VIP (ACE 4710) but very slow

Re: Access Server through VIP (ACE 4710) but very slow
Hi Shiva
Kindly Help .....Accessing the server very slow.., Plz check my real configuration... this configuration is for application server and after this i have to configure more serverfarm for different server like webmail etc. in this ACE 4710. I have only one ACE 4710 .
ACE Version A4(2.0) = is there supports Probe with this version.??? without probe server will work but very slow. And plz guide Nat-pool is required
VIP :-- 172.16.15.8
LB/Admin# sh run
Generating configuration....
no ft auto-sync startup-config
logging enable
logging host 172.29.91.112 udp/514
resource-class RC1
limit-resource all minimum 10.00 maximum unlimited
boot system image:c4710ace-mz.A4_2_0.bin
hostname LB
interface gigabitEthernet 1/1
description Management
speed 1000M
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
description clientside
switchport access vlan 30
no shutdown
interface gigabitEthernet 1/3
description serverside
switchport access vlan 31
no shutdown
interface gigabitEthernet 1/4
no shutdown
context Admin
description Management
member RC1
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
probe http probe1
description health check
interval 5
passdetect interval 10
request method head
expect status 200 200
open 1
rserver redirect https_redirect
description redirect traffic to https
webhost-redirection / 302
inservice
rserver redirect maintenance_page
description maintenance page displayed
webhost-redirection /sry.html 301
inservice
rserver host web1
ip address 192.168.10.3
inservice
rserver host web2
ip address 192.168.10.4
inservice
rserver host web3
ip address 192.168.10.5
inservice
serverfarm host http
rserver web1
    inservice
rserver web2
    inservice
rserver web3
    inservice
serverfarm redirect https_redirect_farm
description Redirect traffic to https
serverfarm redirect maintenance_farm
description send user to maintenance page
parameter-map type connection paramap_http
description parameter connection tcp
exceed-mss allow
sticky ip-netmask 255.255.255.0 address source Sticky_http
timeout activeconns
serverfarm http
class-map match-all REMOTE-ACCESS
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
class-map match-all slb-vip
2 match virtual-address 172.16.15.8 tcp eq www
policy-map type management first-match remote_access
class class-default
    permit
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
    permit
policy-map type loadbalance first-match slb
class class-default
    serverfarm http
policy-map type inspect http all-match slb-vip-http
class class-default
    permit
policy-map multi-match client-vips
class slb-vip
    loadbalance vip inservice
    loadbalance policy slb
    loadbalance vip icmp-reply active
    inspect http policy slb-vip-http
    connection advanced-options paramap_http
interface vlan 30
description "Client Side"
ip address 172.16.15.24 255.255.255.0
access-group input everyone
service-policy input client-vips
no shutdown
interface vlan 31
description "Server Side"
ip address 192.168.10.1 255.255.255.0
service-policy input remote_access
no shutdown
interface vlan 1000
description managment
ip address 172.29.91.110 255.255.255.0
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.15.1
snmp-server contact "PHQ"
snmp-server community phq group Network-Monitor
snmp-server trap-source vlan 1000
username admin password 5 $1$b2txbc5U$TA74D920oSdd2eOZ4hSFe/ role Admin domain
default-domain
username www password 5 $1$.GuWwQEK$r8Ub4OcE3l190d5GA4kvR. role Admin domain de
fault-domain
username prem password 5 $1$8C7eRKrI$it3UV4URZ26X4S/Bh6OEr0 role Admin domain d
efault-domain
ssh key rsa 1024 force
banner motd # "ro" #
Regards,
Prem

Hi Shiva,
plz guide i'm new with ACE LB, also find my n/w design for connected ace to server. but server accessing very very slow, but when i connect through my old server software LB (with two interface)then accessing very fast. I just replace my old serverLB(with two interface) to ACE4710 and connect the same scenario then why not server accessing smoothly with VIP .Reply soon only I connect ACE's two interface with switch.....
Regards,
Prem

ACE 4710 Setup

Dear All,
I have task to add two servers to work with ACE 4710 , the client is coming from internal network and the end host (our servers).
I don,t know how to connect it physically and do the configuration.
Thanks a lot in advance .

Hi,
Below is basic configuration example with three real servers and Source NAT.
Let's say you have three servers:
rserver host SERVER_01
ip address 192.168.1.11
inservice
rserver host SERVER_02
ip address 192.168.1.12
inservice
rserver host SERVER_03
ip address 192.168.1.13
inservice
You add them in serverfarm
serverfarm host REAL_SERVERS
rserver SERVER_01
    inservice
rserver SERVER_02
    inservice
rserver SERVER_03
    inservice
After that you configure the VIP and condition. Here any means any protocol and port
class-map match-all VIP-30
2 match virtual-address 172.16.51.30 any
YOu define the L7 policy map
policy-map type loadbalance first-match SLB_LOGIC
class class-default
    serverfarm REAL_SERVERS--------->Serverfarm to which traffic would be loadbalanced.
policy-map multi-match CLIENT_VIPS---->L3 policy map.
class VIP-30
    loadbalance vip inservice
    loadbalance policy SLB_LOGIC
    nat dynamic 1 vlan 451----------------->You need to apply the NAT when your client is in same subnet as server so that return traffic comes back to ACE and not to client directly or when your servers default GW is not ACE.
interface vlan 251
description Client vlan------------------->VIP is in this subnet
ip address 172.16.51.11 255.255.255.0
access-group input ANYONE
service-policy input REMOTE_MGT
service-policy input CLIENT_VIPS
no shutdown
interface vlan 451--------------->Server side subnet
description Servers vlan
ip address 192.168.1.1 255.255.255.0
nat-pool 1 192.168.1.100 192.168.1.110 netmask 255.255.255.0 pat---->Nat pool defined. It should always be on server side vlan.
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.51.1
I would also suggest going through the below for basic troubleshooting and understanding.
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Troubleshooting_Guide_--_Overview_of_ACE_Troubleshooting
Basic loadbalancing using routed mode:
http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_Routed_Mode_on_the_Cisco_Application_Control_Engine_Configuration_Example
And if you have any questions, please put them here and we will be glad to help.
Regards,
Kanwal
Note: Please mark answers if they are helpful.

ACE: 4710 Policy-Map NAT

Similar Messages

Maybe you are looking for